Solved

Security issues with Front End Server in a DMZ?

Posted on 2004-03-23
10
378 Views
Last Modified: 2013-12-04
We currently have a Front End/Back End Exchange configuration which resides completely behind a firewall.  It seems we are having to evaluate the option of sticking the FE server out in the DMZ for direct access to POP, IMAP, etc.  

*Currently, all users access the corporate network via VPN for access to Exchange mail.  Performance (speed) and accessibility issues have been expressed by a number of our users when connecting in this manner.

If we were to only to open the secure ports ->
443 - HTTP (SSL)
993 - IMAP4 (SSL)
995 - POP3 (SSL)
...what are the obvious security risks?

 It appears to be a infrastructure design practice preached by MS and just need to be well-informed about any security before implementing.  The FE is NOT a GC and has no mailbox store mounted...

thanks for any insight!
0
Comment
Question by:davis
  • 7
  • 3
10 Comments
 
LVL 12

Expert Comment

by:trywaredk
ID: 10658902
List of known Trojan/Backdoors and the TCP/UDP ports on which they operate
http://www.onctek.com/trojanports.html

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open

0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10658924
0
 
LVL 12

Accepted Solution

by:
trywaredk earned 125 total points
ID: 10658964
Improving the Security of PST Files
http://support.microsoft.com/default.aspx?scid=kb;en-us;143241

Downloading and Using the Security Configuration Manager Tool:
http://support.microsoft.com/default.aspx?scid=kb;en-us;245216

Stress Tools to Test Your Web Server:
http://support.microsoft.com/default.aspx?scid=kb;en-us;231282

WebCast: Using the Microsoft Security Tool Kit to Get and Stay Secure
http://support.microsoft.com/default.aspx?scid=kb;en-us;324892

Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/Tools/MBSAhome.asp

Maximum Windows 2000 Security
http://www.bookpool.com/.x/rmpdj26gor/sm/0672319659


0
 
LVL 1

Author Comment

by:davis
ID: 10660267
Lots of good resources here - thanks!

To quote an excerpt from your 2nd posted link:
"Just about any firewall will allow packet and port filtering in order to protect your network and Exchange environment. While this is a good start for protecting your servers, it falls short of complete protection since you have to open ports to allow access to the data in your private network. For example, port 25 must be opened to allow for SMTP traffic, port 80 for HTTP."

...with the FE in a perimeter zone (between two firewalls), as shown in the diagram, is the internal network still at risk?  Unclear what can be at risk - the FE, the BE (back-end), or both.

thanks for any clarification!!
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10661444
I did'nt stydy it all, but the solution is here:

Microsoft Exchange 2000 Server Front-End and Back-End Topology
 Advantages of a Front-End and Back-End Server Environment
 How Front-end and Back-end Topology Works
 Deployment Considerations
 Scenarios
 Configuring a Front-End Server
 Configuring a Back-End Server
 Configuring Firewalls
 Front-end and Back-end Topology Checklist
 Front-end and Back-end Topology Troubleshooting Steps
 Additional Resources
http://www.microsoft.com/technet/prodtechnol/exchange/2000/maintain/e2kfront.mspx
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 12

Expert Comment

by:trywaredk
ID: 10661452
SoftScan puts an end to virus and spam threats from the Internet
http://www.softscan.dk/english/index.asp
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10661479
Remember to have a different/difficult password for the administrator on the FE server, than on the BE and the rest of your servers, and setup auditing on FE

HOW TO: Enable and Apply Security Auditing in Windows 2000 Server and Windows 2000 Professional:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549&sd=tech

Windows 2000 Server Security Guidelines - Audit acconts
http://www.colorado.edu/its/windows2000/adminguide/w2ksecguidelines.html#localpolicy

EMCO EventLog Audit collects the eventlog from the computers on the LAN, to a database
http://www.1000files.com/Utilities/Network/EMCO_EventLog_Audit_6132_Review.html
0
 
LVL 1

Author Comment

by:davis
ID: 10661513
I have used the 'maintain'article quite a bit  - kind of a bible.

I think I found the answer in the article you posted earlier : http://www.microsoft.com/technet/security/prodtech/mailexch/opsguide/e2ksec04.mspx

Also found elsewhere, it stated :
"For security reasons, you don't want to install a front-end server in a DMZ.
Why?  Because you have to open up a whole stack of ports between the
networks.  A much more secure solution is to have the FE server on the
internal network, with ISA Server in the DMZ publishing OWA."

I would imagine it would be sugested to run ISA or some other firewall that will do application proxy.  Something to scan the traffic on IMAP, SMTP, POP before passing on to the mailserver.

Thanks for your references!


0
 
LVL 1

Author Comment

by:davis
ID: 10661529
OOps - meant to Accept the one just above the one I actually accepted.

I found it much more concise and useful
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10661829
:o) Glad I could help you - thank you for the points
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now